Add support to get peer's SeLinux context

1 files changed, 21 insertions, 2 deletions

diff --git a/proxy/src/gp_socket.c b/proxy/src/gp_socket.c
index a782564..8bb71d1 100644
--- a/proxy/src/gp_socket.c
+++ b/proxy/src/gp_socket.c
@@ -36,6 +36,13 @@
 #include "gp_proxy.h"
 #include "gp_creds.h"
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#define SEC_CTX security_context_t
+#else
+#define SEC_CTX void *
+#endif /* HAVE_SELINUX */
+
 #define FRAGMENT_BIT (1 << 31)
 
 struct unix_sock_conn {
@@ -51,6 +58,7 @@ struct gp_conn {
     struct gssproxy_ctx *gpctx;
     struct unix_sock_conn us;
     struct gp_creds creds;
+    SEC_CTX secctx;
 };
 
 struct gp_buffer {
@@ -172,8 +180,6 @@ done:
     return fd;
 }
 
-/* TODO: use getpeercon for SeLinux context */
-
 static int get_peercred(int fd, struct gp_conn *conn)
 {
     socklen_t len;
@@ -192,6 +198,19 @@ static int get_peercred(int fd, struct gp_conn *conn)
     }
 
     conn->creds.type |= CRED_TYPE_UNIX;
+
+#ifdef HAVE_SELINUX
+    ret = getpeercon(fd, &conn->secctx);
+    if (ret == 0) {
+        conn->creds.type |= CRED_TYPE_SELINUX;
+    } else {
+        ret = errno;
+        GPDEBUG("Failed to get peer's SELinux context (%d:%s)\n",
+                ret, strerror(ret));
+        /* consider thisnot fatal, selinux may be disabled */
+    }
+#endif /* HAVE_SELINUX */
+
     return 0;
 }